Preventing Data Breaches & Vendor Selection Due Diligence

August 12, 2020

As many are now aware, Morgan Stanley recently issued a data breach notification, after learning that IT assets disposed of four years ago may not have been properly wiped clean by the vendor they hired to do so at that time.

But how did Morgan Stanley end up in this position in the first place? Although Morgan Stanley may have gotten lucky in that an actual breach may not have occurred from this negligence, other companies will not end up so favorably. IBM recently released their annual cost of a data breach study, and calculated the average data breach cost at $3.86 million.[1] Looking at the incident with Morgan Stanley, it creates an opportunity for discussion on how this can effectively be prevented going forward.

A History of Improper Disposal

According to regulations, it is the responsibility of a business to conduct due diligence on any vendors it hires. Without proof of proper due diligence in vendor selection, a business may be liable for any missteps that vendor takes. Unfortunately, there have been many instances where the improper sanitization of electronic media, as well as improper paper data disposal has led to similar incidents.  Just last year in our iG Journal, we shared an article from Bitraser regarding Residual Data: Threats at the Tail of Devices. Their investigation led to many findings, one being that 7 out of 10 used devices contained residual data, with risk of PII and personal data leakage. 71% of the individuals who disposed of old devices were found vulnerable to data privacy threats. Read the complete article that summarizes their findings.  Access to their full report can be found here.

In 2017, many may remember that NAID performed an extensive Second Hand Devices Study on the issue of personal information that remained on used devices. Our objective was to see how much data we could obtain from second-hand devices that should have been wiped, without taking any heroic efforts. This means, the third party who conducted the study only used software anyone can download to scrape for data and if a drive appeared damaged, we did not pursue it. Our study showed that 40 percent of devices resold in publicly available resale channels contained PII. As i-SIGMA CEO Bob Johnson stated during these findings “The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.”

Leading the Pack

What can companies do to become actively aware of the way they are disposing of personal data, whether that is paper or electronic media, and keep their customers safe? For one, companies can choose to work with service providers that are NAID AAA Certified. Because it is designed specifically to verify and monitor regulatory compliance as well as security best practices, requiring NAID AAA Certification of secure data destruction service providers fulfills the customer’s regulatory obligation. Service Providers that have acquired and maintain NAID AAA Certification subject themselves to announced and unannounced audits – ensuring efficacy and quality of disposal. With over 1,000 NAID AAA Certified locations available globally, it is far and away the most recognized and accepted data destruction operation available. Find a NAID AAA Certified Service Provider Now.

By: Maggie Geolat, Marketing Coordinator, i-SIGMA